New Gold Protocol (NGP), a decentralized finance (DeFi) project built on the BNB Chain, became the latest target of a sophisticated exploit on Wednesday. The attacker drained nearly $2 million worth of assets from the project’s liquidity pool before moving the stolen funds through Tornado Cash, making them nearly impossible to trace.
How the exploit happened?
According to Web3 security firm Blockaid, the attacker zeroed in on NGP’s smart contract vulnerability within its getPrice() function. This function works out the price of NGP tokens by simply looking at the reserves in its Uniswap V2 pool.
Blockaid explained that relying on a single decentralized exchange (DEX) pool for price data left the protocol exposed. “A spot price from a single DEX pool is insecure because an attacker can easily and dramatically manipulate the pool’s reserves within a single atomic transaction using a flash loan,” the firm said.
The exploit began when the attacker initiated a flash loan, temporarily borrowing a large number of tokens. They then executed a swap to manipulate the mainPair pool, which boosted the USDT reserve while draining NGP tokens. This trick made the getPrice() function show a much lower token value than it really was.
With the system fooled, the attacker slipped past the contract’s transaction limits and managed to buy a huge amount of NGP tokens at a cheap, manipulated price.
Aftermath of the hack
Once the tokens were drained, the attacker quickly swapped them into Ethereum and pushed the funds through Tornado Cash, the Ethereum mixer often linked to hacks. Once the hacker pushed the money through Tornado Cash, the trail went cold. That means the money trail is basically gone, and getting the funds back is next to impossible.
Word of the hack got around quickly and put the DeFi community on edge. NGP’s token price crashed within hours, and investors were left unsettled. So far, NGP has not laid out any plan on how it will recover the stolen money or compensate users who lost out.
Bigger lessons for DeFi
The NGP exploit is another reminder of how dangerous it is for protocols to depend on a single-price source. Flash loans, which allow attackers to borrow and use large sums in one go, continue to be a major tool in these kinds of attacks.
Experts believe projects should focus on building safer systems by using more than one price feed, carrying out regular audits, and adding stronger protections to their contracts.
For now, the $2 million loss is another entry in the long list of DeFi hacks that have happened this year. Recently, DeFi platform Nemo Protocol on Sui revealed that its $2.6M exploit on September 7, 2025 stemmed from unaudited code pushed to mainnet via a single-signature upgrade. Hackers exploited a public flash loan function and faulty query to mint tokens and drain the SY/PT pool.
It shows once again that, in this space, security is still the weakest point, for both builders and investors.
Also Read: Radiant Hacker Moves $26.7 Million in Stolen Funds to Ethereum
